HomeServicesAudit & AssuranceCyber Security Control & IT Risk Review

Audit & Assurance · Information Systems & IT Audit

Cyber Security Control & IT Risk Review

Cyber risk is now a Board-level line item, not an IT department memo.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Cyber risk is now a Board-level line item, not an IT department memo. Regulators — SEBI, RBI, IRDAI, CERT-In, and the Ministry of Electronics and IT — have moved cybersecurity from a discretionary good practice to a documented, testable, reportable obligation, with real deadlines and real penalties attached. At PNPC Global, we have supported Boards and Audit Committees across India and the UAE since 1986 with the assurance work that sits underneath every governance certification. A Cyber Security Control & IT Risk Review gives your Board, your statutory auditor, and your regulator independent, evidence-based comfort that your controls are designed properly and are actually operating — not just documented in a policy nobody follows.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Cyber Security Control & IT Risk Review is

A Cyber Security Control & IT Risk Review is an independent assessment of the policies, technical controls, and governance processes an organisation has in place to protect its information systems, data, and digital infrastructure from unauthorised access, disruption, and compromise — and of how effectively those controls actually operate in day-to-day use. Unlike a penetration test, which simulates an attack to find exploitable technical vulnerabilities, or a certification audit for a specific standard, a control and IT risk review takes a governance, risk, and controls (GRC) lens: it maps your IT risk universe, evaluates the design of controls against a recognised framework (commonly COBIT 2019, ISO/IEC 27001:2022, or the NIST Cybersecurity Framework), tests whether those controls are operating as designed, and reports gaps with a prioritised remediation roadmap that the Board and Audit Committee can act on.

In India, this work increasingly sits at the intersection of several distinct but overlapping regulatory obligations rather than being a purely voluntary exercise. SEBI-registered intermediaries and market infrastructure institutions — stock exchanges, depositories, clearing corporations, stock brokers, mutual funds/AMCs, RTAs, depository participants, and other SEBI Regulated Entities — fall under SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), which consolidated and superseded the earlier sector-specific SEBI cyber circulars and requires periodic risk assessments, defined incident response and reporting timelines, and Board-level oversight through a designated Chief Information Security Officer (CISO) function. Listed companies more broadly carry a related but distinct obligation — cybersecurity incident and materiality disclosures under SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations — which is a narrower disclosure duty rather than the full CSCRF control framework, though a listed company that is itself a SEBI-registered intermediary (a listed broker or AMC, for instance) carries both. Banks, NBFCs, and payment system operators regulated by the Reserve Bank of India operate under RBI's cybersecurity framework circulars, which mandate a Board-approved cyber security policy distinct from the general IT policy, periodic vulnerability assessment and penetration testing (VAPT), and defined cyber-crisis management plans. Every entity handling computer resources in India — regardless of sector — is also subject to CERT-In's April 2022 directions under Section 70B of the Information Technology Act 2000, which mandate reporting of specified categories of cyber incidents to CERT-In within six hours of detection and require designated entities to maintain logs of ICT systems for a rolling 180-day period within India.

Statutory auditors increasingly reach into the IT control environment as part of their own work under the Companies Act 2013 as well. Where financial reporting depends on IT systems — which, in practice, is virtually every company today — the auditor's opinion on Internal Financial Controls under Section 143(3)(i) and the CARO 2020 commentary on internal controls implicitly depend on the IT General Controls (ITGC) that sit underneath the financial application: access provisioning and de-provisioning, change management, backup and recovery, and job scheduling. A cybersecurity and IT risk review commissioned proactively, ahead of the statutory audit, surfaces and remediates ITGC and broader cyber-risk gaps before they surface as audit findings, management letter points, or — in the worst case — a control failure that leads to a data breach, financial fraud, or a reportable incident under the Digital Personal Data Protection Act 2023.

The review typically culminates in a structured report to the Board or Audit Committee — often as a specific agenda item under the IT Strategy Committee or Risk Management Committee where one exists — classifying each finding by severity, mapping it to the governing framework's control reference, and setting owner-assigned remediation timelines. For regulated entities, this report frequently forms part of the evidentiary basis for the CISO's periodic reporting to the Board and for representations made to SEBI, RBI, or IRDAI on the adequacy of the cybersecurity posture. For unregulated but growing companies, the same discipline is increasingly a precondition for enterprise sales, insurance underwriting for cyber-liability cover, and investor due diligence.

When a Cyber Security Control & IT Risk Review makes sense

You are a SEBI-registered intermediary or market infrastructure institution (stock broker, mutual fund/AMC, depository participant, RTA, exchange, clearing corporation, or similar Regulated Entity) and SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) requires periodic risk assessment, Board reporting, and CISO oversight of your cyber posture — or you are a listed company with cybersecurity incident and materiality disclosure obligations under SEBI's LODR Regulations

You are a bank, NBFC, payment aggregator, or other RBI-regulated entity subject to a Board-approved cybersecurity policy, mandatory periodic VAPT, and a defined cyber-crisis management plan under RBI's cybersecurity framework circulars

Your statutory auditor's IFC review under Section 143(3)(i) or CARO 2020 commentary depends on IT General Controls — access management, change management, backups — that have never been independently tested

You process or store personal data at scale and need to assess your control readiness ahead of the Digital Personal Data Protection Act 2023 rules taking full effect, including breach notification and data fiduciary obligations

You are a designated entity under CERT-In's April 2022 directions and need to confirm your logging retention (180 days, India-located), incident reporting workflow, and NTP synchronisation practices are actually in place — not just documented

A cyber incident, ransomware attempt, phishing compromise, or unauthorised access event has already occurred, and the Board or Audit Committee wants an independent root-cause and control-gap assessment, not an internal IT team's self-review

You are pursuing cyber-liability insurance and the underwriter's proposal form requires evidence of a recent independent security control assessment, not just a self-certified questionnaire

You are preparing for a funding round, enterprise customer onboarding, or vendor empanelment where the counterparty's due diligence checklist requires evidence of a documented, tested information security control environment

Your organisation has grown quickly — new offices, new SaaS tools, remote/hybrid workforce, BYOD — and IT risk has outpaced the last time policies and access controls were reviewed

When a different engagement fits better

You need to know whether specific systems can be technically breached right now — that calls for a Vulnerability Assessment & Penetration Test (VAPT), a narrower and more technical engagement than a governance-level control review, though the two are complementary and often sequenced together

You need formal certification against ISO/IEC 27001 for a customer contract or tender requirement — that requires a certification audit by an accredited certification body; PNPC can prepare you for it, but cannot issue the certificate itself

You are a very early-stage startup with minimal customer data, no regulatory trigger, and no near-term enterprise sales or funding requirement — a lighter security hygiene checklist embedded in your IT setup is more proportionate than a full framework-based review

You need an ongoing, always-on security operations capability — continuous monitoring, SIEM alerting, 24x7 SOC — which is a managed security service, not a periodic assurance engagement

Your primary need is drafting or updating IT and data protection policies from scratch with no existing control environment to assess — that is a policy-drafting engagement that should typically precede, not replace, a control review

You need software code security review (secure code review, SAST/DAST) for a specific application under development — that is an application security engagement, narrower in scope than an organisation-wide IT risk review

Structure Comparison

Cyber Security Control & IT Risk Review vs related IT assurance and security engagements

FeatureCyber Security Control & IT Risk ReviewVAPT (Penetration Test)ISO 27001 Certification AuditIT General Controls (ITGC) ReviewSOC 2 Report
Primary objectiveAssess design & operating effectiveness of cybersecurity governance and controls against a frameworkActively attempt to exploit technical vulnerabilities in systems and networksCertify an Information Security Management System (ISMS) meets ISO/IEC 27001 requirementsAssess controls specifically over IT systems supporting financial reportingReport on service organisation controls for user entities and their auditors
Governing frameworkCOBIT 2019 / ISO 27001 / NIST CSF, mapped to applicable Indian regulatory requirementsOWASP Testing Guide, PTES, or similar technical methodologyISO/IEC 27001:2022 standard clauses and Annex A controlsCOSO / COBIT, scoped to financially relevant systemsAICPA Trust Services Criteria (international, common for SaaS exports)
Statutory/regulatory trigger in IndiaSEBI CSCRF (SEBI-registered intermediaries/market infrastructure institutions), SEBI LODR (listed cos, disclosure only), RBI cyber framework (banks/NBFCs), CERT-In directions (all entities), DPDP Act readinessOften a component required by SEBI CSCRF, RBI framework, PCI-DSS, or customer contracts — not independently mandated by a single Indian statuteNot mandated by Indian law — market/customer/tender drivenFeeds Section 143(3)(i) auditor opinion and CARO 2020 IFC commentaryNot mandated in India — driven by international (mainly US) customer/vendor requirements
Who performs itIndependent CA/risk advisory firm with IT audit specialisation, reporting to Board/Audit CommitteeSpecialised penetration testing team (often CERT-In empanelled for regulated-entity engagements)Accredited ISO certification body (PNPC prepares; cannot certify)Statutory auditor or independent IT audit specialist, often coordinated with the financial auditIndependent CPA/CA firm licensed for SOC engagements
OutputBoard/Audit Committee report — control matrix, gap classification, remediation roadmapTechnical vulnerability report with CVSS severity ratings and proof-of-concept detailCertificate of conformity (valid 3 years, with annual surveillance audits)Gap report feeding the statutory audit file and management letterSOC 2 Type I (point in time) or Type II (period of operation) report
Typical frequencyAnnually, or per regulator-mandated cycle (SEBI/RBI often prescribe periodicity)Annually at minimum; more often for regulated/high-risk entities or after major system changesInitial certification + annual surveillance + 3-year recertificationAnnually, alongside the statutory audit cycleType II typically covers a 6–12 month observation period, repeated annually
Relationship to statutory auditDirectly supports and de-risks the Sec 143(3)(i) IFC opinion where IT underpins financial reportingIndirect — findings may be referenced if a vulnerability has financial-reporting relevanceIndependent of statutory audit; may be referenced in customer/vendor due diligenceForms part of the statutory audit working papersIndependent of Indian statutory audit; relevant mainly for export-oriented SaaS clients
Typical engagement length6–10 weeks depending on entity size and scope1–3 weeks technical testing window, plus reportingSeveral months of ISMS build-out before a 1–2 week certification audit3–6 weeks, scoped to financially relevant systemsObservation period (6–12 months) plus several weeks of reporting

This table is directional. The right combination — a control review, VAPT, ITGC review, and/or certification support — depends on your regulatory category, customer requirements, and current maturity. Many PNPC clients run a Cyber Security Control & IT Risk Review as the governance-level umbrella, with VAPT commissioned as a technical component within it. A scoping conversation is the right starting point.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Scoping & Regulatory Mapping — understanding which frameworks actually apply to youWe ask what a generic security vendor rarely asks first: are you a SEBI-registered intermediary or market infrastructure institution (CSCRF applies) or a listed company with LODR disclosure duties only? RBI-regulated (separate cyber policy and VAPT cadence required)? A CERT-In 'designated entity' with 180-day logging obligations? Handling data that will trigger DPDP Act fiduciary duties? The applicable regulatory stack determines the review scope, the reporting cadence, and the Board-level oversight structure we design around — before any technical work begins.Week 1
2IT Asset & Risk Universe Mapping — what systems, data, and third parties are actually in scopeMost organisations underestimate their own IT footprint — shadow IT (unsanctioned SaaS tools), vendor-managed infrastructure, and legacy systems nobody remembers commissioning. We build a current-state inventory of systems, data flows, and third-party/vendor access points, because a control review scoped against an incomplete asset list gives false comfort.Week 1–2
3Governance & Policy Review — is there a Board-approved cybersecurity policy, and does it match reality?A cybersecurity policy copied from a template and never updated is worse than no policy — it creates a documented gap between what the Board believes is happening and what is actually happening. We review the Information Security Policy, Acceptable Use Policy, Data Classification Policy, Incident Response Plan, and BCP/DR Plan against both the applicable framework and actual operating practice.Week 2
4Access Control & Identity Management Testing — who can access what, and whyWe test user access provisioning and de-provisioning end-to-end: is access granted on a documented request with approval? Is it removed promptly on role change or exit — a control that fails constantly in fast-growing companies? Is privileged/admin access restricted and logged? Are shared or generic logins in use (a common but high-risk shortcut)? Segregation of duties within critical systems is assessed here, not assumed.Week 2–3
5Network & Infrastructure Control Review — perimeter, segmentation, and configuration baselineWe review firewall rule-sets, network segmentation between production and non-production environments, patch management cadence, endpoint protection deployment, and secure configuration baselines against a recognised hardening standard (such as CIS Benchmarks) — evaluated for design adequacy, coordinated with VAPT findings where a technical test is also commissioned.Week 3–4
6Data Protection & DPDP Act Readiness Assessment — classification, encryption, retention, consentPersonal data handling now carries direct statutory exposure. We assess data classification discipline, encryption of data at rest and in transit for sensitive categories, retention and secure-disposal practices, and — for entities that will be data fiduciaries under the DPDP Act 2023 — the consent architecture and breach-notification readiness the Act and its rules will require.Week 3–4
7Third-Party & Vendor Risk Review — the control gap most organisations never testData breaches increasingly originate through a vendor, not the primary organisation. We review vendor onboarding due diligence, data-sharing agreements and their security clauses, and whether critical vendors (cloud hosting, payroll processors, SaaS tools handling customer data) have been assessed for their own control posture — a step most internal reviews skip entirely.Week 4
8Incident Response & CERT-In Compliance Testing — is the six-hour reporting workflow real or theoretical?CERT-In's April 2022 directions require reporting of specified incident categories within six hours of detection, and mandate 180-day log retention within India with synchronised network time. We test whether the incident response plan has actually been exercised (tabletop or live), whether logging meets the retention and localisation requirement, and whether the organisation could genuinely meet the six-hour window if an incident occurred today.Week 4–5
9IT General Controls (ITGC) Testing for Financial Systems — the link to your statutory auditWhere financial reporting depends on ERP, accounting, or billing systems, we specifically test the ITGCs — change management for system configuration, backup and recovery testing (not just backup existence), and job scheduling controls — using the same lens the statutory auditor will apply under Section 143(3)(i) and CARO 2020, so findings here pre-empt audit findings later.Week 5
10Gap Classification & Risk Rating — Critical, High, Medium, Low, mapped to framework control referencesNot every finding carries equal weight. We classify each gap by severity and likelihood, map it to the specific COBIT/ISO 27001/NIST control reference and, where applicable, the specific SEBI/RBI/CERT-In requirement it relates to — so the remediation priority is defensible to the Board and, if needed, to a regulator.Week 5–6
11Management Discussion & Draft Report — validating findings before they are finalisedFindings are walked through with IT leadership and process owners before the report is finalised — both to confirm factual accuracy and to begin remediation planning immediately, rather than presenting the Board with a surprise report that generates more questions than answers.Week 6
12Remediation Roadmap — prioritised, owner-assigned, dated, with interim compensating controlsA gap list without an execution plan is next year's audit finding repeated. We build a roadmap with named owners, realistic target dates given your team's capacity, and interim compensating controls for anything classified Critical or High that cannot be fixed immediately.Week 6–7
13Board / Audit Committee / IT Strategy Committee Presentation — the governance evidence trailWe present findings directly to the Board, Audit Committee, or IT Strategy Committee (where one exists), giving directors and the CISO the documented, evidentiary basis for their own periodic reporting obligations under SEBI CSCRF, RBI's framework, or general Section 134(5)(e) IFC certification.Week 7
14Post-Remediation Verification — confirming fixes actually took effectA remediation marked complete by the IT team is not the same as a remediation independently verified as operating. We re-test a sample of remediated controls before the next audit or reporting cycle to confirm the fix is embedded — not just closed in a tracker.8–12 weeks after initial report, timed to your compliance calendar

A first-time review for a mid-sized company typically runs 6–8 weeks end-to-end for the assessment and report, with remediation verification following 2–3 months later. Regulated entities (SEBI CSCRF-covered intermediaries, RBI-regulated) with a defined reporting cadence are scheduled to that cycle. Subsequent-year reviews, building on an existing control matrix and asset inventory, are typically faster.

Document Checklist
Governance & Policy Documents

Board-approved Information Security / Cybersecurity Policy — distinct from a general IT policy; RBI-regulated entities specifically require a separate Board-approved cybersecurity policy

IT Strategy Committee / Risk Management Committee / Audit Committee minutes referencing cybersecurity discussions for the review period

Incident Response Plan and Business Continuity / Disaster Recovery (BCP/DR) Plan, along with evidence of the last test or tabletop exercise conducted

Data Classification Policy and Acceptable Use Policy currently in force

Prior cybersecurity audit reports, VAPT reports, or ISO 27001 surveillance audit findings, if any exist

Organisation chart showing the CISO or equivalent security ownership role and its reporting line to the Board or a Board committee

IT Asset & Infrastructure Documentation

Current IT asset inventory — servers, endpoints, network devices, and cloud infrastructure accounts (AWS/Azure/GCP or equivalent)

Network architecture diagram showing segmentation between production, non-production, and corporate network zones

List of all SaaS applications and third-party tools in active use, including any procured outside a formal IT procurement process (shadow IT)

Patch management records and endpoint protection (antivirus/EDR) deployment coverage report

Firewall rule-set export and configuration baseline documentation for critical infrastructure

Access Control & Identity Records

Current user access list for all critical systems (ERP, financial systems, core business applications), with role/privilege mapping

Access provisioning and de-provisioning records for the review period, including evidence of timely removal on employee exit or role change

Privileged/administrator account inventory and log of privileged access usage

Multi-factor authentication (MFA) coverage report across email, VPN, and critical system access

Password policy and evidence of enforcement (complexity, rotation, lockout settings)

Data Protection & DPDP Act Readiness Documents

Data inventory / data mapping showing categories of personal data collected, where stored, and retention period applied

Encryption standards documentation for data at rest and in transit for sensitive/personal data categories

Consent capture mechanism documentation, where personal data is collected directly from data principals (customers, employees)

Data-sharing and data processing agreements with third-party vendors handling personal data on the company's behalf

Data breach / incident log for the review period, if any incidents occurred, along with the response taken

Logging, Monitoring & Incident Records (CERT-In relevant)

Log retention configuration evidence — confirming logs of ICT systems are retained for a rolling 180 days and stored within India as required under CERT-In's April 2022 directions

Network Time Protocol (NTP) synchronisation configuration — CERT-In directions require system clocks to be synchronised to designated time servers

Security monitoring / SIEM tool configuration and sample alert-to-resolution records, where such a tool is deployed

Any cyber incident reports filed with CERT-In during the review period, along with the internal timeline from detection to reporting

Third-Party & Vendor Risk Documents

List of critical third-party vendors with access to systems or data — cloud hosting, payroll processor, payment gateway, SaaS tools handling customer data

Vendor due diligence records or security questionnaires completed for critical vendors

Copies of Master Service Agreements or Data Processing Agreements containing security and confidentiality clauses with key vendors

Any vendor-side certifications (ISO 27001, SOC 2) provided by critical vendors as evidence of their own control posture

Financial-System-Relevant IT Controls (ITGC scope)

Change management log for the ERP or core financial system — configuration changes, approvals, and testing evidence for the review period

Backup schedule and evidence of periodic backup restoration testing — not merely confirmation that backups run

Job scheduling and batch processing controls documentation for automated financial processes, where applicable

System access review sign-off records for financially relevant applications, evidencing periodic management review of who has access

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Baseline Review (Year 1)Regulatory trigger, Board direction, or growth-driven risk exposureFull scoping against applicable frameworks (SEBI CSCRF / RBI cyber framework / CERT-In / DPDP Act as relevant), asset and risk mapping, governance and technical control testing, gap classification, and a Board-ready remediation roadmap.Undiscovered control gaps persist silently until an incident, a regulator inspection, or a statutory audit finding forces reactive, more costly remediation under pressure.
Remediation Execution (Months 1–4 post-review)Findings report deliveredOwner-assigned, dated remediation tracking with PNPC follow-up. Interim compensating controls advised for anything classified Critical or High that cannot be closed immediately — access restriction, additional monitoring, manual review steps — until the permanent fix is implemented.Findings marked 'in progress' indefinitely with no independent verification recur as the same finding in the next audit or regulatory inspection, undermining Board and auditor confidence in the remediation process.
Verification & Sign-off (Months 4–6)Remediation deadlines reachedIndependent re-testing of a sample of remediated controls to confirm operating effectiveness — not a desk review of a status update from the IT team. Findings are formally closed only on verified evidence.Controls reported as 'closed' without verification create a false record relied upon by the Board's Sec 134(5)(e) certification and the statutory auditor's Sec 143(3)(i) opinion — a governance exposure if a gap resurfaces.
Statutory Audit Coordination (Year-end)Financial year close approachingHandover of the control matrix, testing evidence, and remediation status to the statutory auditor in a format that supports their ITGC reliance and Sec 143(3)(i)/CARO 2020 work — reducing duplicate testing and helping keep the audit timeline on schedule.Unresolved IT control gaps discovered independently by the statutory auditor during year-end fieldwork generate audit findings, management letter points, or, for material weaknesses, qualified reporting under CARO 2020.
Regulatory Reporting CycleSEBI CSCRF / RBI framework prescribed periodicityAlignment of the review cadence to the specific regulatory reporting calendar — CSCRF and RBI circulars prescribe periodic assessment and Board reporting intervals — so the review output is available in time to support the CISO's and Board's statutory representations.Missed or late alignment to the regulator's prescribed cycle exposes the entity to supervisory findings, and in serious cases, regulatory action for inadequate cyber governance.
Incident Response ActivationActual cyber incident — breach, ransomware, unauthorised accessIndependent root-cause and control-failure assessment distinct from the internal IT team's own incident report — supporting the six-hour CERT-In reporting workflow where applicable, Board notification, and (where personal data is involved) DPDP Act breach-notification obligations.A self-assessed incident response without independent review risks incomplete root-cause identification, repeat incidents, and — if statutory notification deadlines are missed — separate regulatory exposure on top of the incident itself.
Annual Refresh & Re-scopingNew systems, new vendors, organisational growth, M&ARe-scoping the asset inventory and risk universe annually — new SaaS tools, new offices, new acquisitions, and workforce changes all shift the risk profile. A control matrix built for last year's IT footprint gives false comfort against this year's actual exposure.A stale review that does not reflect current systems and vendors leaves genuinely new risk areas — the newest SaaS tool, the newly acquired subsidiary's legacy systems — completely untested.

This lifecycle reflects a typical mid-sized company's cadence. Regulated entities (SEBI CSCRF-covered intermediaries, RBI-regulated) should align the review and reporting phases to their specific framework's prescribed periodicity rather than a generic annual assumption — PNPC confirms the applicable cadence during scoping.

Frequently asked
What exactly is a Cyber Security Control & IT Risk Review, in plain terms?

It is an independent check on whether your organisation's cybersecurity policies and technical controls are properly designed and are actually being followed in practice — not just written down. We map your IT risk areas, test access controls, network security, data protection practices, incident response readiness, and vendor risk against a recognised framework, then report gaps to your Board or Audit Committee with a prioritised plan to fix them.

Practitioner noteThe gap between 'we have a policy for that' and 'that policy is actually followed every time' is where almost every serious finding in this review originates. We test the second, not just the first.
Is this the same as a penetration test?

No. A penetration test (VAPT) actively attempts to technically exploit vulnerabilities in your systems and networks to see what an attacker could achieve. A Cyber Security Control & IT Risk Review takes a broader governance and controls view — policies, access management, vendor risk, incident response readiness, and regulatory compliance — and evaluates whether the overall control environment is sound. The two are complementary; many clients commission VAPT as a technical component within the broader review, but they are not interchangeable.

Practitioner noteWe frequently see organisations commission an expensive penetration test while their access de-provisioning process — a former employee's login still active six months after they left — remains completely untested. Both matter; they test different things.
Does my company legally need this review, or is it optional?

It depends on your regulatory category. SEBI-registered intermediaries and market infrastructure institutions (stock brokers, mutual funds/AMCs, depository participants, RTAs, exchanges, clearing corporations, and similar Regulated Entities) fall under SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), which mandates periodic risk assessment and Board-level reporting; listed companies generally (even if not a CSCRF-covered intermediary) carry a narrower cybersecurity incident and materiality disclosure obligation under SEBI's LODR Regulations. Banks, NBFCs, and payment system operators fall under RBI's cybersecurity framework circulars, which require a Board-approved cybersecurity policy and periodic VAPT. Every entity that is a 'designated entity' under CERT-In's April 2022 directions has specific logging and incident-reporting obligations. If none of these apply to you directly, the review is not a standalone statutory requirement — but it remains good governance practice, particularly if IT systems underpin your financial reporting (relevant to your statutory auditor's Section 143(3)(i) opinion) or if you handle personal data that will trigger obligations under the Digital Personal Data Protection Act 2023.

Practitioner noteWe map the applicable regulatory stack for your specific entity type in the scoping conversation before any technical work begins — this determines the framework we test against and the reporting cadence we recommend.
What is SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF)?

CSCRF is SEBI's consolidated cybersecurity framework applicable to SEBI-registered intermediaries and market infrastructure institutions in the securities market — stock exchanges, depositories, clearing corporations, stock brokers, mutual funds/AMCs, RTAs, depository participants, and other categories of SEBI Regulated Entities — that brought together and updated the earlier sector-specific cyber circulars into a single framework. It requires periodic cyber risk assessments, defined incident detection and reporting timelines, a designated CISO function reporting to the Board, and specific controls around data localisation and audit requirements depending on the entity category. Listed companies that are not themselves SEBI-registered intermediaries fall outside CSCRF's direct scope but carry a related, narrower obligation — cybersecurity incident and materiality disclosure under SEBI's LODR Regulations.

Practitioner noteCSCRF applicability and the specific obligations differ by entity category within SEBI's regulated universe — a stock broker's obligations are not identical to an AMC's, and a listed company that is not itself a SEBI-registered intermediary is generally outside CSCRF altogether. We confirm your exact category and applicable clauses before scoping.
What are CERT-In's cyber incident reporting directions and do they apply to us?

CERT-In (Indian Computer Emergency Response Team), under Section 70B of the Information Technology Act 2000, issued directions in April 2022 that apply broadly to entities operating computer resources in India. Key obligations include: reporting specified categories of cyber security incidents (data breaches, ransomware, unauthorised access, and others listed in the directions) to CERT-In within six hours of detection or of being made aware of the incident; maintaining logs of all ICT systems for a rolling period of 180 days, stored within India; and synchronising system clocks to designated time sources. These directions apply broadly — not just to large or regulated entities.

Practitioner noteThe six-hour window is measured from detection or awareness, not from when the incident actually began — and it is a genuinely tight window. Most organisations discover during our review that their internal escalation process alone would consume most or all of that six hours before anyone even started drafting the CERT-In report. We test this specifically.
How does this review connect to my statutory audit?

Where your financial reporting depends on IT systems — which is the case for virtually every company today — your statutory auditor's opinion under Section 143(3)(i) of the Companies Act 2013 on Internal Financial Controls, and the CARO 2020 commentary on internal controls, both implicitly rely on the IT General Controls underneath your financial systems: access management, change management, backup and recovery. A cybersecurity control review conducted ahead of the year-end audit surfaces and fixes these gaps proactively, rather than having the statutory auditor discover them during audit fieldwork and raise them as findings or management letter points.

Practitioner noteWe time the ITGC-relevant portion of the review to complete before year-end audit fieldwork begins wherever possible — a gap found and fixed in month 9 is a non-event; the same gap found by the auditor in month 12 becomes a documented audit finding.
What framework do you assess against — ISO 27001, COBIT, or something else?

We typically assess against COBIT 2019 for governance and management objectives, cross-referenced with ISO/IEC 27001:2022 Annex A controls and, where relevant, the NIST Cybersecurity Framework — and map findings to the specific applicable Indian regulatory requirement (SEBI CSCRF, RBI framework, CERT-In directions, DPDP Act) so the report is directly useful for your actual compliance obligations, not just a generic international benchmark.

Practitioner noteA report that says 'you scored 62% against ISO 27001' is not actionable on its own. We map every finding to a specific control gap, a specific business risk, and — where relevant — a specific regulatory clause, so the Board knows exactly what it is deciding to fix or accept.
How long does the review take?

A first-time review for a mid-sized company typically takes 6–8 weeks for the assessment and report, followed by remediation verification 2–3 months later. Larger or more complex organisations, or those with multiple regulated entities/subsidiaries in scope, take longer. Subsequent-year reviews, building on an established asset inventory and control matrix, are typically faster since the framework only needs updating for what has changed.

Practitioner noteThe single biggest driver of timeline in practice is not our testing speed — it is how quickly the client's IT team can produce the requested access logs, configuration exports, and policy documents. We flag this at kickoff and provide the full document checklist upfront to avoid mid-review delays.
What does the review actually cost?

The fee depends on the number of systems and locations in scope, whether VAPT is bundled in, the applicable regulatory framework, and organisational size and complexity. PNPC provides a written scope and fixed fee after the initial scoping conversation — we do not quote a number before understanding your IT footprint and regulatory category, because a review scoped for a 30-person single-office company and one scoped for a multi-entity, RBI-regulated group are not comparable engagements.

Practitioner noteAsk for the written scope before engaging any firm for this work. A vague scope is the most common reason cybersecurity review fees run over budget mid-engagement — undefined boundaries around 'how many systems' and 'how many locations' are the usual culprits.
We already have an internal IT team that manages security. Why do we need an external review?

Internal IT teams are usually the ones who designed and operate the controls being tested — an internal self-review has an inherent conflict of interest and, more practically, an internal team often cannot see its own blind spots. Independent review provides objectivity the Board and Audit Committee (and, where applicable, a regulator) can actually rely on. It is also frequently a specific expectation under SEBI CSCRF and RBI's cybersecurity framework that the assessment carries genuine independence from day-to-day IT operations.

Practitioner noteWe have found strong internal IT teams miss the same categories of gap repeatedly — not from incompetence, but because they are testing their own work. An access review performed by the person who provisions access rarely catches their own provisioning shortcuts.
What happens if the review finds a critical gap — do you report it to the regulator?

PNPC's role in this engagement is to report findings to your Board, Audit Committee, or IT Strategy Committee — the decision on any external disclosure (to a regulator, to affected data subjects, or otherwise) rests with your organisation and its legal counsel, guided by the specific statutory trigger involved. Where a finding relates to an actual incident that meets CERT-In's reportable categories, the six-hour reporting clock is a separate, time-bound legal obligation that exists independently of our review — we flag this immediately if we identify it during fieldwork.

Practitioner noteWe are clear with clients upfront: if we find evidence of an active, ongoing, unreported incident during a review, we raise it immediately — not in the final report weeks later. Time-sensitive statutory windows do not wait for report drafting.
Do you also perform the penetration testing (VAPT), or only the governance review?

PNPC scopes and coordinates VAPT as part of a combined engagement where clients want both the governance-level control review and the technical penetration test, working with specialised technical testing partners for the hands-on exploitation work while PNPC leads the overall scoping, framework mapping, Board reporting, and remediation governance.

Practitioner noteFor RBI-regulated entities specifically, VAPT is often required from a CERT-In empanelled testing organisation — we confirm this requirement during scoping and coordinate accordingly.
What is the Digital Personal Data Protection Act 2023 and how does it affect this review?

The DPDP Act 2023 is India's comprehensive data protection legislation, governing how organisations (data fiduciaries) collect, process, store, and protect personal data of individuals (data principals). It introduces obligations around consent, purpose limitation, data breach notification, and reasonable security safeguards, with the detailed operational rules and effective-date provisions being notified in phases. As part of this review, we assess your data classification, encryption, retention, and consent-architecture readiness against the Act's requirements, so that when the operational rules are fully in force, your control environment is not starting from zero.

Practitioner noteThe Act's rules and compliance timelines have been rolled out progressively rather than all at once — we track the notification status and advise clients on what is currently in effect versus what to prepare for ahead of full enforcement, rather than treating every provision as immediately binding.
What is an IT General Control (ITGC) and why does it matter for a financial audit?

IT General Controls are the foundational controls over an IT environment that support the reliability of application-level controls and, in turn, financial reporting — access management (who can get into a financial system and how that is granted/removed), change management (how changes to system configuration are approved and tested), backup and recovery (whether financial data can actually be restored if lost), and job scheduling (whether automated financial processes run reliably and completely). If ITGCs are weak, an auditor cannot rely on any application control that depends on that IT environment — which can significantly increase the scope and cost of substantive testing in the statutory audit.

Practitioner noteWe have seen well-run finance teams undone by a single weak ITGC — a shared 'admin' login used by three different people, no individual accountability — that forces the statutory auditor to substantively test transactions they would otherwise have relied on controls for. Fixing that one control before year-end is far cheaper than the expanded audit scope that follows if it is not.
How is a Critical, High, Medium, or Low finding actually defined?

We classify findings using a consistent risk-rating methodology based on the likelihood of the control gap being exploited or causing harm, and the potential impact if it is — financial, regulatory, reputational, or operational. A Critical finding typically involves an active exploit path to sensitive data or financial systems with no compensating control. High findings represent a significant control gap that is not immediately exploitable but poses material risk. Medium and Low findings represent design or process gaps with lower immediate risk but that still warrant remediation to avoid future exposure.

Practitioner noteWe deliberately calibrate severity conservatively rather than inflating findings — a report with twenty 'Critical' findings trains the Board to stop believing the word 'Critical' means anything. Genuine criticals should be rare and should get immediate attention; everything else gets a realistic, proportionate rating.
Can this review help us get cyber-liability insurance or reduce our premium?

Many cyber-liability insurers now require or reward evidence of an independent, recent security assessment as part of underwriting — some proposal forms ask for it directly, and insurers increasingly price premiums based on demonstrated control maturity rather than self-certified questionnaires alone. A completed review with a clean or well-remediated findings profile can support both the underwriting process and, in some cases, more favourable terms, though PNPC does not control or guarantee insurer pricing decisions.

Practitioner noteWe recommend clients share the executive summary and remediation status with their insurance broker directly — insurers respond far better to a structured, professionally issued report than to an internal self-assessment questionnaire filled in by the IT team.
We are a startup with no external funding yet. Do we really need this?

Not necessarily as a full framework-based review. Very early-stage companies with minimal customer data, no regulatory trigger, and no near-term funding or enterprise-sales requirement are generally better served by a lighter security hygiene checklist folded into their broader IT and accounting setup. The formal review becomes proportionate once you handle meaningful customer data, approach a funding round where investor due diligence will ask about it, or start selling to enterprise customers whose vendor onboarding requires evidence of a control environment.

Practitioner noteWe would rather tell a founder honestly that a full review is premature than sell an engagement that is disproportionate to their current risk. We flag the trigger points — first enterprise customer, first funding round, first meaningful volume of personal data — so you know when it becomes the right time.
What is the difference between a 'control deficiency,' a 'significant deficiency,' and a 'material weakness'?

These are severity classifications commonly used in control assessments, borrowed from the same conceptual framework used in Internal Financial Controls reporting. A control deficiency exists when a control is not designed or operating in a way that allows timely prevention or detection of a risk, but the impact is limited. A significant deficiency is more severe and merits attention from those responsible for governance. A material weakness represents a reasonable possibility that a material misstatement, breach, or loss will not be prevented or detected in a timely manner — the most serious category, typically requiring immediate Board and, where relevant, auditor attention.

Practitioner noteWe use this same three-tier language across both our IFC reviews and cybersecurity reviews deliberately — it gives the Audit Committee one consistent severity vocabulary across all their assurance reports, rather than a different scale for every type of review.
Does PNPC provide ongoing monitoring after the review, or is it a one-time engagement?

The core review is a periodic point-in-time (or period-of-review) assessment, not continuous monitoring — continuous security operations (SIEM alerting, 24x7 SOC) is a different, always-on managed service that PNPC does not itself operate. What PNPC does provide is remediation tracking through to verified closure, and typically an annual or regulator-cadence-aligned refresh review, so your control environment does not go untested again until the next incident or audit finding forces the issue.

Practitioner noteWe are candid with clients that a review, however thorough, is a snapshot. Real security posture depends on what happens in the months between reviews — which is exactly why we push for a defined annual or cadence-based refresh rather than treating this as a one-off box-tick.
What is the role of the CISO, and do we need to formally appoint one?

A Chief Information Security Officer (CISO) is the designated individual accountable for an organisation's information security posture and its reporting to the Board or a Board committee. SEBI's CSCRF specifically requires designated regulated entities to have a CISO function with a defined reporting line. RBI's framework similarly expects clear ownership of cybersecurity at a senior level for regulated entities. Even where not mandated, having a named accountable owner — whether a dedicated CISO, a CTO with the responsibility formally assigned, or an outsourced virtual CISO arrangement — is fundamental to the control environment actually functioning, since a review with no accountable owner on the other end tends to see its remediation roadmap stall.

Practitioner noteWe ask 'who owns this finding' for every single item in the remediation roadmap during the reporting stage. A roadmap with no named owner is, in our experience, a roadmap that does not get executed.
How does PNPC's Chennai/Bangalore/Hyderabad/Dubai presence matter for this kind of review?

For groups with operations spanning India and the UAE, we coordinate the review across jurisdictions under one engagement — assessing the Indian entity against SEBI/RBI/CERT-In/DPDP Act requirements as relevant, and coordinating with the UAE entity's own data protection and cybersecurity obligations under UAE federal and free-zone frameworks, so the Board gets one consistent risk picture rather than two disconnected reports from two different advisors.

Practitioner noteCross-border data flows between an Indian and UAE entity in the same group raise their own data-transfer and localisation questions on both sides — we flag these specifically for groups with that structure rather than treating each entity's review in isolation.
What if we do not have any formal IT policies at all — can you still conduct the review?

Yes. Absence of documented policy is itself a finding, and one of the most common starting points we see. We assess actual practice against the applicable framework regardless of whether formal policy exists, and the remediation roadmap will typically include drafting or formalising the missing policy documents as a first-tier action item alongside any technical control gaps.

Practitioner noteAn organisation with no written policy but genuinely disciplined practical controls sometimes scores better on operating effectiveness than one with an elaborate policy document nobody actually follows. We test both — design and operation — because they can diverge in either direction.
Will the review disrupt our day-to-day IT operations?

Generally no. The review is predominantly document review, interviews, configuration exports, and log analysis rather than intrusive testing of live systems. Where any testing does touch production systems (such as certain access control tests), we schedule it in coordination with your IT team during low-impact windows and confirm the approach in advance.

Practitioner noteWe are deliberately conservative about anything that could affect production stability — the review is meant to surface risk, not create an incident of its own during the assessment.
What is the difference between this review and a management self-assessment questionnaire?

A management self-assessment is an internal exercise — typically a checklist completed by the IT or security team itself, with no independent testing of whether the answers reflect reality. It carries no external assurance value for a Board, auditor, or regulator. A Cyber Security Control & IT Risk Review is performed by an independent party, involves actual testing of evidence (access logs, configuration exports, sampled transactions) rather than self-reported answers, and produces a report that carries genuine evidentiary weight for governance and, where relevant, regulatory purposes.

Practitioner noteWe have reviewed self-assessment questionnaires that confidently answered 'yes, MFA is enforced everywhere' — and found, on actual testing, several critical accounts with no MFA at all. Self-reported answers and tested evidence are not the same thing.
Can findings from this review affect our company's insurance claims if a breach occurs later?

Potentially, depending on your policy terms — many cyber-liability policies include representations and warranties about the security controls in place at the time of underwriting, and a documented history of known, unremediated Critical or High findings could be relevant to a claim if the breach exploited exactly that gap. This is a reason to treat remediation follow-through seriously, not just the initial assessment, and to discuss any material findings with your insurance broker or legal counsel.

Practitioner noteThis is precisely why we push clients toward genuine remediation verification rather than a report that sits in a drawer — an unremediated known finding is a very different position to be in during a claims dispute than one that was never identified in the first place.
Do smaller, unlisted, non-regulated companies ever need this review?

Yes, increasingly — not because of a direct statutory mandate, but because enterprise customers, investors, and insurers now routinely ask for evidence of a tested security control environment as a precondition of doing business. A mid-sized unlisted company selling into enterprise or government accounts, or approaching a Series A/B round, frequently finds this review requested as part of the counterparty's own due diligence checklist, well before any regulator would require it directly.

Practitioner noteWe now see this review requested by counterparties — enterprise procurement teams, investors — nearly as often as by direct regulatory obligation. Being able to produce a recent, credible report proactively, rather than scrambling when a term sheet or vendor contract demands one, is a real competitive advantage.
What happens during the 'IT General Controls' section if we use an accounting software provider that manages the infrastructure for us (SaaS/cloud accounting)?

Where core financial systems are hosted and managed by a third-party SaaS provider, the relevant ITGCs partly shift to that provider's environment. We assess what controls remain your organisation's responsibility (user access management within the application, approval workflows configured within the tool) versus what should be evidenced by the provider's own certifications (SOC 2 report, ISO 27001 certificate) — and flag where a provider cannot or will not furnish that evidence as a vendor risk finding in its own right.

Practitioner noteA surprising number of cloud accounting and ERP vendors, when asked directly for a SOC 2 report or ISO certificate, cannot produce one. That gap becomes a documented vendor-risk finding — it tells the Board something concrete about a dependency they may not have previously scrutinised.
How does this review interact with a prior year's audit findings or management letter points on IT?

We specifically request and review the prior year's statutory audit management letter and any IT-related findings as an input to scoping — a review that ignores what the statutory auditor already flagged risks either duplicating known findings without adding value or, worse, missing that a previously flagged gap was never actually closed.

Practitioner noteWe have, more than once, found a 'closed' prior-year audit finding that was marked complete internally but never actually verified — the same gap resurfaces almost every time in our independent testing. Closure claims deserve scepticism until verified.
Is remote/hybrid work a specific risk area you assess?

Yes. Remote and hybrid work materially expands the attack surface — VPN configuration and usage discipline, endpoint security on personally-owned (BYOD) devices, use of personal email or unsanctioned file-sharing tools for company data, and physical security of devices outside the office are all assessed as part of the access and endpoint control review, particularly for organisations that shifted to hybrid arrangements without formally updating their security policy to match.

Practitioner noteThe single most common gap we find in hybrid-work environments is a security policy still written for an office-only workforce, sitting alongside an actual operating reality of company data flowing through personal devices and home networks the policy never contemplated.
What deliverables do we actually receive at the end of the engagement?

A written report covering: the scope and methodology, the risk and control matrix mapped to the applicable framework, detailed findings with severity classification and evidence references, a prioritised and owner-assigned remediation roadmap, and an executive summary suitable for Board or Audit Committee presentation. PNPC also delivers the findings in person to the Board, Audit Committee, or IT Strategy Committee where requested, rather than simply emailing a PDF.

Practitioner noteWe always offer to present findings directly to the Board or Audit Committee rather than leaving that translation to internal IT or finance staff — directors ask sharper, more useful questions when they can question the independent reviewer directly.
How do you handle sensitive findings — do you share the full report with everyone in the organisation?

No. We agree report distribution and confidentiality handling with the engaging party (typically the Audit Committee or CFO/CISO) at the outset. Detailed technical findings, particularly anything classified Critical, are handled on a need-to-know basis, since a full vulnerability report circulated too widely can itself become a security risk if it falls into the wrong hands before remediation is complete.

Practitioner noteWe routinely provide a Board-level executive summary separate from the detailed technical findings report — different audiences genuinely need different levels of technical detail, and over-sharing the technical detail internally creates its own exposure.
Can this review be combined with our regular internal audit function?

Yes, and for organisations with an internal audit function under Section 138 of the Companies Act 2013, coordinating the cybersecurity review's timing and scope with the internal audit plan avoids duplicated effort and gives the Audit Committee one integrated risk picture rather than two separately-scheduled, overlapping reviews.

Practitioner noteWe proactively ask whether a client has an internal audit function and, if so, what its IT-risk coverage already includes — there is no value in re-testing the same control twice in the same year through two different engagements.
What is the earliest point in a company's lifecycle where this review becomes relevant?

There is no fixed trigger point in terms of company age — it is driven by risk exposure: the volume and sensitivity of data handled, whether a regulatory category applies, and whether enterprise customers or investors are asking for it. A company can be five years old with minimal data exposure and not yet need this review, or two years old and already need it because it processes payment data or is approaching a Series A round with investor due diligence in view.

Practitioner noteWe would rather have this conversation with a founder a year 'too early' than have them discover the need for it during an investor's due diligence process, under time pressure, with a term sheet deadline looming.
Why PNPC Global

PNPC Global vs typical cybersecurity vendors and generic IT audit providers

DimensionPNPC GlobalGeneric Security VendorPure Technical VAPT Shop
Regulatory mapping (SEBI/RBI/CERT-In/DPDP)Built into scoping — findings mapped to specific applicable clausesOften generic international-framework only, with limited India-specific regulatory mappingTypically out of scope — technical testing only, no regulatory interpretation
Link to statutory audit (Sec 143(3)(i), CARO 2020)Explicitly coordinated with the audit calendar and ITGC testing lensRarely coordinated — treated as a wholly separate exerciseNot addressed — different discipline entirely
Board/Audit Committee presentationDelivered in person by a senior CA, not just emailed as a PDFVaries — often a written report onlyWritten technical report only, rarely presented to the Board
Remediation follow-throughOwner-assigned roadmap with independent post-remediation verificationOften ends at report delivery, with limited or no follow-up verificationReport delivery is the end of the technical engagement scope
Continuity across yearsSame firm tracks findings, remediation, and the next cycle's reviewVendor relationships often reset each procurement cycleEngaged per-project; limited institutional continuity
Cross-border coordination (India–UAE)Single engagement across PNPC's India and Dubai officesRarely offered as an integrated serviceNot typically offered

What the PNPC package includes

  1. 01

    Regulatory scoping against SEBI CSCRF, RBI cybersecurity framework, CERT-In directions, and DPDP Act readiness, specific to your entity category

  2. 02

    Full IT asset and risk universe mapping, including shadow IT and third-party vendor access points often missed by internal reviews

  3. 03

    Governance and policy review against your actual operating practice — not just a paper-policy check

  4. 04

    Access control, identity management, and privileged-access testing across critical systems

  5. 05

    IT General Controls (ITGC) testing coordinated specifically to support your statutory auditor's Section 143(3)(i) and CARO 2020 work

  6. 06

    Data protection and DPDP Act readiness assessment, including data mapping, encryption, and consent-architecture review

  7. 07

    CERT-In compliance testing — log retention, NTP synchronisation, and incident-response six-hour reporting readiness

  8. 08

    Third-party and vendor risk review, including evidence review of vendor certifications (SOC 2, ISO 27001) where available

  9. 09

    Severity-classified findings report with a prioritised, owner-assigned remediation roadmap

  10. 10

    In-person Board, Audit Committee, or IT Strategy Committee presentation of findings

  11. 11

    Independent post-remediation verification before the next audit or reporting cycle

Cyber risk sits on your Board's agenda whether or not you have tested it yet — talk to PNPC Global before your regulator, your auditor, or an incident does the testing for you.

← Back to Audit & Assurance
Talk to a CA